Slashdot Mirror
A Hacker Broke Into a Few of Reddit's Systems and Managed To Access Some User Data, Company Says (reddit.com)
A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords, Reddit said Wednesday. From the announcement: Since then we've been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again. Reddit says the incident occurred between June 14 and June 18 when the hacker "compromised a few of our employees' accounts with our cloud and source code hosting providers." Interestingly, even as Reddit employees maintain 2FA on their accounts, the attacker managed to get access to their data. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," the company said. The company says it has a reason to believe the attacker had access to the following data: All Reddit data from 2007 and before including account credentials and email addresses. What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007. In Reddit's first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then. How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you're clear here.
... steal of a backup tape or EHD by a former Reddit employee.
It little behooves the best of us to comment on the rest of us.
This is why I don't have a Reddit, or a Slashdot, account. Can't steal information that doesn't exist.
Just more proof SMS 2FA is really just 1FA
A) Why are they even keeping backups that old, and B) not to mention, NOT ENCRYPTED?? Basic Security fail...
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
Hacker was found in basement having turned to a pillar of salt by looking at Raw Reddit.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
They were using SMS 2FA? Really?? That said it sounds like the number impacted was small, so at least Reddit learned from this (relatively) smaller incident instead of something bigger happening.
I can't quite tell if you're trolling so I'll bite. Yes a non-trivial number of those Reddit users will have their password hashes rainbow tabled, and then their email/password combos will be used to access their accounts on other sites. Even 11 years later. In fact, my place of employment will probably be adding the Reddit list to the list of credential combos we run against our own systems to make sure bad guys can't try the same trick here. (We tend to mysteriously force a silent password change on affected users.)
Rainbow tabled??? If the hashes were salted, and it says in the summary they were, then rainbow tables would be unlikely. Rainbow tables would have to be generated for each salt, and presuming the salts weren't incredibly stupid the number of hashes per salt wouldn't be common enough to make rainbow tables worthwhile.
However, they could and presumably would generate hashes using a brute force approach.
Reddit supports anonymous users. If I get compromised on one of my accounts the worst that can happen is someone posts praising Obama in r/the_donald making me lose 10,000+ karma points. Not terribly important IMHO.
11 years ago MD5 was still the go-to encryption of choice. Generating a rainbow table for that is possible in an hour or so with a cluster of rented Amazon GPU servers, at a pretty low price, especially if stolen credit cards are involved. This isn't the problem it used to be.
Now if its properly salted with a salt for each password, sure, its a bit harder, but for a lot of folks salt just means add the word "SECRET" to the start of the password.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
Jesus Christ, you fucking morons, these are social media sites run by private people/companies as they please.
And others are free to criticise them as they please. Whether or not they want to run their own social media website.
They can edit whatever they like
I wouldn't be as confident as you are if it came to court. Even if there's some BS covering this in the small print of the terms and conditions, putting words in someone's mouth without it being obvious this has been done sounds legally dubious to me.
ban people, delete posts, etc., and they wish.
Yes, they can. And others are free to criticise them for this. Whether or not they want to run their own social media website.
Run you own forum or get a fucking life, you fucking idiots!
This whole post is virtually the same logic hauled out by fanboys of big companies when they're criticised. No, the fact that someone isn't pointing a gun at my head forcing me to buy (e.g.) the latest iPhone doesn't negate my right to criticise it. Or require me to design and build my own iPhone.
Logically, this would preclude criticism of the vast majority of things and remove the critical/review information that a truly free market depends upon.
'Course, the irony with such fuckwits is that they act like they're defending free markets, when in fact they're attacking a core part of their functioning.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
You have no idea what 'salted' passwords means, do you? It doesn't add the word 'SECRET' to every password or any other secret word. It adds a *different* random string to every password. This means rainbow tables are useless because the entire rainbow table would be specific to ONE user's password. It would be completely pointless to generate a rainbow table for ONE user instead of just a brute-force attack on that user, with or without a 'cluster of rented Amazon GPU servers'.
- For the complete works of Shakespeare: cat
Programming language security had nothing to do with this hack. Someone called the phone company and pretended to be a clueless customer who was trying to port his phone to a new provider. Lazy phone company rep decided that even though the "clueless customer" didn't pass any of the security questions he would go ahead and port the phone away anyway 'to be helpful'. Now the hacker can receive all SMS messages that were supposed to go to the phone. He logs into Reddit's backend as the user and it sends a 2FactorAuthentication code to the user's phone. Which the hacker is now receiving.
Sending codes as an SMS to a phone is terrible security and everyone has known this for years. Bitcoin exchanges have been very publicly hacked this way enough that no exchange would even consider using SMS for security. I'm surprised Reddit, which has a very technical community, allowed this.
BTW my bank still ONLY offers SMS security :-(
- For the complete works of Shakespeare: cat
>> Rainbow tabled??? If the hashes were salted,
Depends again on how they salted. If they used one salt for all passwords (as I've seen before) and it was captured too, then game over. However, if each entry had its own salt then yep, you're correct. (And thanks for reading the TFA - I always seem to lose interest before I get there.)